[ad_1]
We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues.
We have now created a solution to address the problem of messages stuck in transport queues on Exchange Server 2016 and Exchange Server 2019 because of a latent date issue in a signature file used by the malware scanning engine within Exchange Server. Customer action is required to implement this solution. When the issue occurs, you’ll see errors in the Application event log on the Exchange Server, specifically event 5300 and 1106 (FIPFS), as illustrated below:
Log Name: Application
Source: FIPFS
Logged: 1/1/2022 1:03:42 AM
Event ID: 5300
Level: Error
Computer: server1.contoso.com
Description: The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long.
Log Name: Application
Source: FIPFS
Logged: 1/1/2022 11:47:16 AM
Event ID: 1106
Level: Error
Computer: server1.contoso.com
Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error.
Using the Automated Solution
- Run the script on each Exchange mailbox server that downloads antimalware updates in your organization (use elevated Exchange Management Shell).
- Before running the script, change the execution policy for PowerShell scripts by running Set-ExecutionPolicy -ExecutionPolicy RemoteSigned.
Edge Transport servers are unaffected by this issue. You can run this script on multiple servers in parallel. After the script has completed, you will see the following output:
[PS] C:Program FilesMicrosoftExchange ServerV15Scripts>.Reset-ScanEngineVersion.ps1
EXCH1 Stopping services...
EXCH1 Removing Microsoft engine folder...
EXCH1 Emptying metadata folder...
EXCH1 Starting services...
WARNING: Waiting for service 'Microsoft Filtering Management Service (FMS)' to start...
WARNING: Waiting for service 'Microsoft Filtering Management Service (FMS)' to start...
WARNING: Waiting for service 'Microsoft Filtering Management Service (FMS)' to start...
WARNING: Waiting for service 'Microsoft Filtering Management Service (FMS)' to start...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
EXCH1 Starting engine update...
Running as EXCH1-DOMAdministrator.
--------
Connecting to EXCH1.CONTOSO.com.
Dispatched remote command. Start-EngineUpdate -UpdatePath http://amupdatedl.microsoft.com/server/amupdate
--------
[PS] C:Program FilesMicrosoftExchange ServerV15Scripts>Get-EngineUpdateInformation
Engine : Microsoft
LastChecked : 01/01/2022 08:58:22 PM -08:00
LastUpdated : 01/01/2022 08:58:31 PM -08:00
EngineVersion : 1.1.18800.4
SignatureVersion : 1.355.1227.0
SignatureDateTime : 01/01/2022 03:29:06 AM -08:00
UpdateVersion : 2112330001
UpdateStatus : UpdateAttemptSuccessful
Using the Manual Solution
In lieu of using the script, customers can also manually perform steps to resolve the issue and restore service. To manually resolve this issue, you must perform the following steps on each Exchange mailbox server in your organization that downloads antimalware updates. Edge Transport servers are unaffected by this issue.
Remove existing engine and metadata
1. Stop the Microsoft Filtering Management service. When prompted to also stop the Microsoft Exchange Transport service, click Yes.
2. Use Task Manager to ensure that updateservice.exe is not running.
3. Delete the following folder: %ProgramFiles%MicrosoftExchange ServerV15FIP-FSDataEnginesamd64Microsoft.
4. Remove all files from the following folder: %ProgramFiles%MicrosoftExchange ServerV15FIP-FSDataEnginesmetadata.
Update to latest engine
1. Start the Microsoft Filtering Management service and the Microsoft Exchange Transport service.
2. Open the Exchange Management Shell, navigate to the Scripts folder (%ProgramFiles%MicrosoftExchange ServerV15Scripts), and run Update-MalwareFilteringServer.ps1 <server FQDN>.
Verify engine update info
1. In the Exchange Management Shell, run Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell.
2. Run Get-EngineUpdateInformation and verify the UpdateVersion information is 2112330001.
After updating the engine, we also recommend that you verify that mail flow is working and that FIPFS error events are not present in the Application event log.
FAQ
Is the solution for this problem automated?
Implementation of the solution requires customer actions, and it will take some time to make the necessary changes, download the updated files, and clear the transport queues. Actions can be automated with the scan engine reset script from https://aka.ms/ResetScanEngineVersion or they can be performed manually. Whether you perform the steps automatically or manually, they must be performed on every on-premises Exchange 2016 and Exchange 2019 server in your organization. If you use the automated script, you can run it on multiple servers in parallel.
How long will running of automated script take?
Depending on the size of your organization, the script might take some time to run; please be patient.
How long will it take to clear up the queues after the script has been run?
Depending on the number of messages that were queued up and the amount of new messages transport has to process, the time might vary. Please be patient and monitor those queues are draining (number of messages are decreasing) by using Get-queue command.
We are in Exchange Hybrid environment. What do we need to do?
If you are using your on-premises Exchange server to send email (for example using Centralized Mailflow or sending messages from on-premises devices), please follow this blog post and use the script to change configuration on your on-premises servers used for email transport. If you are using Exchange on-premises only for management of Exchange recipients, you do not need to take any action.
What are the services that the script is stopping?
The following services will be restarted: Microsoft Filtering Management and Microsoft Exchange Transport.
We have temporarily disabled Antimalware. Should it be enabled after following this blog post?
If you have temporarily disabled the antimalware service, you should enable it after you have followed this blog post (use the Enable-AntimalwareScanning.ps1 script). The solution described in this post is a full solution for this problem and will result in transport queues clearing and Antimalware engine working as expected.
The version of the updated scan engine starts with 2112330001; is this right? Should we be concerned that it seems to reference a date that does not exist?
The newly updated scanning engine is fully supported by Microsoft. While we need to work on this sequence longer term, the scanning engine version was not rolled back, rather it was rolled forward into this new sequence. The scanning engine will continue to receive updates in this new sequence.
What if my Exchange servers do not have access to the Internet?
If your Exchange mailbox servers do not download antimalware updates from the Internet, you do not need to perform any manual action. In that case, the servers have not been downloading antimalware updates to begin with, and the problem described here will not exist.
Major changes to this blog post:
- 1/2: Clarified the exact process to run the automated script solution
- 1/2: Added the FAQ to the blog post
- 1/1: Major update mentioning our manual and scripted solution for this problem; disablement of Antimalware service as a workaround has been removed
- 1/1: Original release
Source link